Posted
by
kdawsonon Tuesday August 11, 2009 @06:01PM
from the if-I-want-bing-I-will-type-bing dept.

Jaeden Stormes writes "We just started getting word of a new browser hijack from our sales force. 'Some site called Bing?' they said. Sure enough, since the patches last night, their IE6 and IE7 installations are now routing all NXDOMAINs to Bing. Try it out — put in something like www.DoNotHijackMe.com." We've had mixed results here confirming this: one report that up-to-date IE8 behaves as described. Others tried installing all offered updates to systems running IE6 and IE7 and got no hijacking. Update: 08/11 23:24 GMT by KD: Readers are reporting that it's not Bing that comes up for a nonexistent domain, it's the user's default search engine (noting that at least one Microsoft update in the past changed the default to Bing). There may be nothing new here.

Most if not all versions of IE (6+, and probably older ones too) have a feature called search from address bar [sevenforums.com]. With this setting enabled, anything typed in the address bar which does not resolve to a website, is passed on to the default search engine, whichever that may be.
Perhaps a recent update turned this feature ON for people who had it turned OFF? But the feature itself is most definitely not new or news.

The truth, it looks like, is that MS updated the search service in IE and may have changed the default settings. The old default was disabled with Live search being the first option selected. The new default is probably to have it enabled with Bing as the first option - Bing has definitely replaced Live in the list of search providers.

Calling it "Hijacking" a non-existing domain name is a bit over-the-top. Chances are nobody thought us geeks would be too slow to pick up on what actually happened rather than getting our collective panties in a bunch about a non-issue.

Does anybody really think MS is stupid enough to switch on mass-DNS hijacking? Did everybody get stupid all of a sudden?

Makes the statement from the first MIB movie seem all too true: A person is smart, but people are stupid (paraphrase).

Actually, Ballmer hired me to do this. He asked that I do it, instead of MS people, because he wants to maintain "plausible deniability". I got it all done, then Steve wants to pay me less than half of what he promised. Says, since it only took me two days to finish it up, I didn't earn my money. BASTARD THREW A CHAIR AT ME AND TOLD ME TO GET OUT!!!

I mean really. We can get a page telling us the site doesn't exist, or we can be re-directed to a search engine which can help us find what we were looking for.
Yeah it helps pimp Microsoft, but I figure if you are using their browser, it is fair game.

Domain hijacking is a huge deal for me. Primarily, when I'm on an internet connection that's hijacking the domain, if I type 'amazon', firefox first checks if I have an amazon in my searchdomain (ie: amazon.example.com), and if not, it tries adding a.com, then a www. and a.com... if the ISP is hijacking it, I get an answer to 'amazon' with the hijacked page. This means that I have to type the.com every time.

with a browser doing the same thing, I could be trying to connect to my primary server (wolverine) and if I mistype the webaddress, it redirects me to bing, changing my URL bar to the bing URL which means that when I've typed 'wolverine/some/really/long/path?with=variables' I have to go type that whole thing over again to correct it rather than just fixing it in the addressbar.

so, hijacking the DNS is a BITCH and is totally annoying all the time.

This isn't an example of domain hijacking, this is an example of an annoying browser feature.

Domain hijacking refers to a range of activities, some of which are illegal, and some of which are just annoying. In the traditional sense, domain hijacking usually involves exploitation of domain registrar update process or social engineering to steal a domain name, and direct traffic to another (possibly nefarious) website. In this case, someone has literally taken (stolen) another person's property and used it for their own purposes.

I've also seen the term legitimately used to describe NXDOOMAIN hijacking, where ISPs answer requests for 'nonexistant' domains, redirecting traffic for their own purposes. This causes a lot of headaches for IT, but is not illegal.

Primarily, when I'm on an internet connection that's hijacking the domain, if I type 'amazon', firefox first checks if I have an amazon in my searchdomain (ie: amazon.example.com)

No. When you're on an internet connection that's hijacking the domain, amazon resolves to a 'service' provided by your ISP even though it's not a registered domain.

, and if not, it tries adding a.com, then a www. and a.com...

What you mean is that if your ISP's DNS service works correctly and tells you that amazon.com doesn't exist, your web browser (Firefox in this case) has some heuristic for trying other DNS queries in an attempt to help you, and when those queries are exhausted it takes you to a search engine.

if the ISP is hijacking it, I get an answer to 'amazon' with the hijacked page. This means that I have to type the.com every time.

Which is what you should have written first.

So you have to type.com when you mean amazon.com. Yeah, that's like saying that I have to write Plymouth, MA next to 02364 on my address. The postal service is run by people, and usually, they can figure it out, but if the address is wrong, it's your fault, even if they helpfully fix it for you.

with a browser doing the same thing, I could be trying to connect to my primary server (wolverine) and if I mistype the webaddress, it redirects me to bing, changing my URL bar to the bing URL which means that when I've typed 'wolverine/some/really/long/path?with=variables' I have to go type that whole thing over again to correct it rather than just fixing it in the addressbar.

So turn off the feature which searches with the default search engine when your DNS query fails.

If you want to bypass DNS for your machines, put your own entries in your "/etc/hosts file" (%WINDIR%\System32\drivers\etc\hosts on Windows). Also, you can run your own DNS service locally.

so, hijacking the DNS is a BITCH and is totally annoying all the time.

Only if you aren't technically savvy enough to use a web browser. After you type amazon.com in once into IE or Firefox or Chrome these days, the autocompletion helpers from your recent history usually have enough context that shift+enter (in IE anyway, not sure about the others) takes you where you want to go.

The real problem with DNS servers hijacking broken requests is that they lie to network tools, not just web browsers. This can cause serious problems. DNS is used for more than just HTTP.

My god, this service has existed since they launched IE6, it is simply turned off by default.

Hit the big "Search" button in the toolbar, and hit customize, and you can change what search provider the address bar search uses. You can disable/enable/change the address bar search option in Internet Options/Advanced.

They obviously recently updated the list of service providers to replace Live search with Bing. My guess is they changed the default address bar search behavior also, and anybody who was using the defaults got changed over.

Nobody seems upset that Chrome does this by default, or that FireFox can do this too. Frickin hypocrites.

Seriously, get ahold of yourselves people, you're really getting upset that IE tries to find the website you were looking for instead of saying "Website not found"? And it's somehow DNS hijacking? Get a grip people!

For starters, "slashdot.gobcom" is not a properly formatted absolute URL, because it lacks the scheme (you know, that "http://" thingy). On the other hand, "slashdot" is a valid relative URL. You have to decide what you actually want here.

In any case, if you go with the sane option of only considering absolute URLs, then it's exactly how IE works (version 8, at least). If you type "nothingforyoutoseehere", it tries to prepend "http://" and resolve it as such, and if that fails, redirects to the default sear

No, no it shouldn't. http://www.donothijackme.com/ [donothijackme.com] does not show up with anything, it opens up a error message reading "Server not found
Firefox can't find the server at www.donothijackme.com.
* Check the address for typing errors such as
ww.example.com instead of
www.example.com
* If you are unable to load any pages, check your computer's network
connection.
* If your computer or network is protected by a firewall or proxy, make sure

I think you've grabbed every DNS-related RFC you can find, hoping that I had not read them. I have, and so I will ask you to be more specific. Which part of RFC 2065 (DNSSEC) is violated? Are you suggesting that IE is a poorly-implemented DNS caching server which does not cache negative results (RFC 2038)? I'm particularly curious why you cited RFC 1536. Did the subject of the conversation turn to whether IE is appending your local domain to DNS queries for non-explicit FQDNs?

The only specific citation you've made from the DNS-related RFCs is about structuring the DNS header. I have yet to see anyone point to any claim that IE sends improperly formatted DNS headers. What they ARE doing is presenting your NXDOMAIN result accompanied by results for a search on the missing domain.

I still do not see a standard which requires a browser or other application's response to an NXDOMAIN to not accompany it with search results, and I do not believe one exists. If your script relies on IE presenting NXDOMAINs in a specific way, then you have a badly-written script, and you shouldn't have expected it to keep working.

Standards exist for a reason. If vendors behaves in a non-uniform manner then it makes the development of protocols and software much more challenging. More importantly, it stifles the entire industry.

Speaking of standards, the summary should be using example.com for their domain.

I agree fully that "example.com" really ought to be used as the example domain. That's the only thing we should actually be outraged about. In this case, a web browser handling an nxdomain result by automatically doing a search d

I've done it in IE8. With Google as the search provider, it goes to Google. With Bing as the provider, it goes to Bing. With Yahoo as the provider, it goes to Yahoo... Hell, with eBay as the selected provider, it searches eBay. You get the picture.

That is entirely up to the browser. If the user does not like it, there is an option to turn that off, and there are other browsers which behave differently. NXDOMAIN highjacking is a problem because it is a violation of a standard internet protocol and interferes with other protocols. This is not highjacking. It's a user agent reacting to NXDOMAIN. There is no technical reason why it shouldn't do what it does.

I -DO- know what I'm talking about, and I don't know how this made news because I've had IE do this for me for at least a year as Google as my default search provider, sending me to google if I mistyped a domain name or something. And when I didn't have google set, it was "Windows Live search".

Now its Bing.

I'm pretty sure you Don't know what YOU'RE talking about, because you use Firefox and haven't kept up with IE. Just like the article.

It's there, it was just renamed. In the same area, find the "Search from the Address bar" section and then click "Do not submit unknown addresses to your auto-search provider." True, it's a little bit confusingly worded, but the option is still there.

It isn't actually Bing that it goes to, it is whatever your default search provider is. Now that is Bing by default, but you can change it to anything you want. IE8 asks you during setup, and you can change it later. So if you change it to Google and enter a non-existent domain, it'll send you to Google with a search for that.

Similar to how Firefox works, just in more cases. In FF, if you enter a name with no domain, it tries some popular ones like.com. If it can't find any, it then does a search in your default provider. IE is doing a similar thing, but doing the search even if you do enter a domain.

But it becomes a bad thing when you do it for non-existent domains. When you type something without the domain name, its assumed you are searching for something, when you enter a non-existent domain, its sorta like dialing a wrong number. I'd rather the phone system tell me I have a wrong number rather than trying to get me where it thinks I want to go. If I call 555-555-5555 chances are I want 555-555-5555, it should not assume that I want 555-555-XXXX. When I want to go to something.com,.net,.org, or another domain, I want it it to show me the domain, if there is no domain, tell me there is no domain.

I'm saying what it is doing, and why. It isn't "hijacking" it is trying to be helpful to users that mistype a domain.

If I do something incorrectly, the most helpful thing at that point is to let me see that it caused an error. The idea that an error would confuse me or be too much for me to handle and so must be avoided at all costs is a good way to prevent me from learning why my original attempt didn't work and how it may be done correctly in the future. It's also somewhat insulting. It assumes that not only am I just a "point-and-drool" type of user, but that I wish to remain that way.

Why? If I mistype a domain name, and get a search results page, I know instantly what happened (I mistyped the domain name), and, odds are, the correct page that I'm looking for is in the search results (usually at the top), one click away, instead of a retype away. This is a net positive for me. Fortunately we can both have it our own way, since you can turn this feature off, right?

First, most search engines will helpfully correct typos in domain names for you. I'm sure that the averag euser finds this behavior a LOT more helpful than a page saying "Nope, can't find it."

Second, domains don't necessarily end with any of the TLDs you listed. In fact, the path you're routing to might not end with a TLD at all - servers on your intranet, or in your hosts file, often don't have TLDs. Treating a URL that differently purely on the basis of whether it ends with a.somedamnthing seems pretty p

But if you enter a valid URL firefox will always take you there even if there is no site, it only googles stuff if you type an invalid url, this is a fair assumptiongoogle.cm/ [slashdot.org] google dot com goes to a google results page

Same with IE. Try typing in "www.fdsgsdfgfgs.com" and you'll indeed go to Bing. Try typing in "http://www.fdsgsdfgfgs.com" and you'll get a DNS error.

I could understand the average user not appreciating the difference, but surely everyone on this site should? Certainly the sort of people who think they're clever enough to use phrases like "hijacking NXDOMAINS".

Absolutely correct. The only thing that's changed is that MS redirected auto.search.msn.com, search.msn.com, and all of live.com to bing.com. So the old MSN Live Search domain not found page (Which should be familiar to anyone who ever misspelled 'getfirefox.com' shortly after installing a new windows system) now says Bing.com instead. Everybody panic!

Seriously, this is the stupidest article I've seen on slashdot in a while. I tried on IE8 on this computer and it sends me to a google search. Oh noes!!! Google and Microsoft have teamed up to hijack NXDOMAIN!

No, IE is just sending you to your default search engine. If you never use IE you probably never changed its default selection of bing/live search. And this isn't NXDOMAIN hijacking! This is an application interpreting an NXDOMAIN response and acting on it in a sensible way.... the kind of behavior that NXDOMAIN hijacking breaks. Seriously, this is a fucking stupid post.

I don't know if it is just my perception, but it feels like MS is back to their old ways with a lot of their activities these days - particularly with regard to anything web facing.

After what felt like a few years of roughly being fair with things, we seem to have had a spate of underhand moves recently. Off the top of my head I can list installing firefox extensions through windows updates without asking (spooking a lot of people including myself - "1 new extension installed what? I didn't install any

I don't know if it is just my perception, but it feels like MS is back to their old ways with a lot of their activities these days - particularly with regard to anything web facing.

At what point did you think that they had left their old ways? The most annoying aspect of their old ways to me was that they were constantly lying about what their intentions/directions were. They did after all start working on OS/2 as the future direction for Windows. More recently they hired a single Open Source guru and d

IE is - as stated above - being helpfull, as a program should be. It is not a "hijacking" since the program requesting the DNS-lookup is IE. This is nothing like having NXDOMAIN, transparently, changed into something it isn't on the network-level.

In one case the program gets to decide what to do and in the other someone else is telling your program that the expected result is something else.

The problem with REAL null domain hijacking is that it breaks software. It breaks VPN clients in a BIG way as well as anything else that searches the Intranet for services. Since this is only active within the web browser and entirely possible to disable, it is far from the big hassle that ISP based hijacks are.

WTF is your VPN doing attempting to resolve VPNed hostnames through your default ISP connection, rather than using a nameserver on the VPN? I'd fire your network security guy, before you get bitten in a big way by a DNS "MITM" - I use quotes because it's really Man In The Wrong Place At The Right Time Who Gets Lucky Because Of An Insecure VPN, but that's not quite as catchy.

IE is not DNS server. What is most likely happening is that with some registry entry a certain way and a certain set of patches, when IE gets a NXDOMAIN when doing a domain name lookup it then does a bing/google/yahoo search (depending on another registry entry for your preferred search engine). It used to show a page with a red X.

This is not DNS hijacking. If somehow Windows now had a caching DNS server that substituted a IP address that then redirected to a bing search or something of that sort, that woul

It's caused by a setting Tools -> Internet Options -> Advanced -> Search Options and "Just Display the results in the main window" is selected. If "Do not submit unknown addresses to your auto-search provider" is selected, if it can't find an address it submits it to your default search provider.

All IE is doing is performing a search for whatever you typed in, if it can't find the domain. If your search engine is set to Bing, it will search there. My search engine is set to Google, so it searches there.

Microsoft today heeded the lessons of technological history, taking the popular "preview porn videos in the search engine" feature and turning its Bob Hope "decision engine" into a porn finder at the address explicit.bobhope.microsoft.com, that loads automatically in Internet Explorer whenever you go to a site that doesn't exist.

"It worked for VHS over Beta, porn sites were leading innovators in online payments. It's a natural synergy," said Steve Ballmer, looking somewhat sweaty and flushed.

Even if you were more right, I'd rather side with him since he can spell.

What was being corrected was ISP for DNS. I don't believe the presence of an apostrophe was the issue the poster was addressing. If you choose to believe a message based on the correctness of punctuation, or even spelling, rather than examining the truth of its (how tempted I was to write it's just to annoy you!) semantic content, you are systematically deluding yourself.

Otherwise well informed people make spelling mistakes. Highly intelligent people make spelling mistakes. People who know how to spell make typos. People who are on the losing side of an argument clutching at straws invest such mistakes with an importance they do not possess.

Well even more to the point IMO: IE isn't "hijacking" NXDOMAIN because IE is the program you're requesting the domain from. Saying IE is hijacking your domain query is a little like claiming the normal pilot of a plane is hijacking it whenever he flies. No, he's not, he's the pilot. It's kind of his job.

What I mean is, if I dropped to the command prompt and typed "nslookup [whatever]", is IE changing the results that I get? If not, then it isn't really fair to say they're "hijacking" anything. If you're typing a domain into your address bar of your browser, and you want something to figure out what you're trying to type and possibly redirecting to a search engine, then the browser is the appropriate place for that to happen. The complaints about DNS "hijacking" is because it's being done by the DNS server and not the browser, but the browser is actually the right place for this to happen.

Now maybe they should offer the option to turn this on or off, but really as long as they're respecting your choice in search engines, I don't think there's a problem. It's a little like complaining that Firefox's Awesome Bar tries to guess what sites you're trying to find.

Well, if you get in a cab, and tell the drive to drive... he say's where to, you say "I-Just-Dont-Exits.com" and he says, he doesn't know that place and gives you some search results instead isn't really hijacking.

In other words, unless you messed up your Firefox install, nothing on Windows 7 makes Firefox (or any other browser) use Bing as a search engine unless you've asked it to. The only reason IE8 even uses Google as the search engine is because I asked it to when I set it up.

None of the browsers have this issue. They all try to resolve http://3.se/ [3.se] and http://www.3.se/ [3.se] but like I said, that domain cannot ever exist as a legitimate domain, so it fails. All the browsers are doing what they've been told to do.

The only thing I can think of, that you may have done to make your Firefox installation use Bing for the searches, is if you asked it to import settings from another browser (IE) which used Bing as its search provider. Are you sure the only thing you did was update Windows and not Firefox? Maybe an update would trigger the question again (I haven't a clue, I don't use it)? Or a fresh install or a misclick somewhere in its settings?

It's their product, and if you input an invalid URL...their product directs you to their search engine to allow you to search for whatever it is you are looking for. How in the fuck is this wrong?

I already answered your question and described what I think is wrong with such practices. If you disagree with my answer, please tell me why you disagree and what part of my reasoning seems invalid to you. An emotive restatement of the question doesn't contribute much.

To me, this would be a legitimate practice PROVIDED that they first ask the user. Ideally, this feature would be off by default, the user would first enable the feature and would then get to choose the search engine that it uses. I'd ha

Mass numbers of suspicious posts on Net messageboards all parroting the same talking points: "I'm a long time Google users and I decided to give Bing a try and By Golly! I'm switching!"

Suspicious? Really? I saw somebody the other day on a Macbook Pro using Bing willingly. It's anecdotal evidence. There's nothing suspicious about it. It happens to some people, not everyone. I'm sure there are people who used Live Search before and switched to Google or Yahoo.

Paying floundering Yahoo to use their search engine

I won't argue with the state of Yahoo, but this has the potential to double the usage of Bing, and make it a much more formidable opponent to Google. It was a good deal.

* Putting up fake news story items on Microsoft web pages that are really nothing more than hidden Microsoft search links attempting to inflate the search marketshare

Haven't seen an example of this yet. Provide one and I'll yield this point.

* And now this crap
The rate Ballmer is throwing billions at their failed search efforts looks like it may actually outdo Microsoft 8 year long Xbox fiasco for.

Read the first few comments - it goes to your default search provider, which is Google if you set it to. And I hate to be the bearer of bad news for your anti-Microsoft sentiments, but the XBox division is doing pretty well for itself right now. They've made Sony a laughing stock this generation.

(original poster here) You're right, I'm not as up on the networking side as I am the code side, and I didn't use the correct terminology when I said "hijacking". However, the NXDOMAIN stuff was added by someone else who edited my post before putting it up on the site; I haven't the slightest idea what NXDOMAIN even is. So yes, I'm ignorant in that regard, but not so much so as to throw out terms I don't understand and give a wildly false report.

I wouldn't be so quick to jump on the editor for this. I saw your original post on the Firehose, in which you claimed Microsoft is redirecting 404s -- this would be monstrous and bad, and while "hijack" is a term you can quibble over, your original report was significantly more dire, and objectively false. A 404 is the HTTP response when you ask for a file that's not on the server. In this case, we don't even get as far as asking the server for the non-existent file, because we can't find its IP -- so we ge